General Privacy Policy

^{Slovenská verzia Všeobecných informácií o ochrane osobných údajov je dostupná na}^{nasledovnej adrese}^.

This document (hereinafter referred to as the "General Information") serves to fulfill our informational obligations in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This General Information is intended for our customers, contractual partners, the public, and visitors to our premises or the website http://www.kpmg.sk/, as well as other websites and applications under our management that reference this General Information. We advise all individuals to thoroughly acquaint themselves with the information presented here.
In addition to this document, there exists other specific information regarding the processing of personal data, which either pertains to this General Information or serves to supplement or clarify it in relation to particular processing operations or circumstances. The specific information takes precedence over this General Information; however, it is applicable in conjunction with the General Information. Consequently, it is essential to read the specific information alongside the General Information.

This mainly concerns the following information:

Information intended for employees and job applicants (so-called HR privacy policy);
Information concerning cookies and online tracking tools (so-called cookies policy);
Information regarding the camera system and visitors to our premises;

1. Identification and contact information of the controller and Data Protection Officer (DPO)

The terms “KPMG,” “we,” “our,” and “us” refer to the following companies, which act either individually as data controllers or jointly as joint controllers: (i) KPMG Slovensko Advisory, k.s. (as the main contact point), with its registered office at Dvořákovo nábrežie 10, 811 02 Bratislava, Company ID No.: 31 403 417, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sr, Insert No.: 272/B; (ii) KPMG Slovensko spol. s r.o., with its registered office at Dvořákovo nábrežie 10, 811 02 Bratislava, Company ID No.: 31 348 238, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sro, Insert No.: 4864/B; (iii) KPMG Legal s.r.o., with its registered office at Dvořákovo nábrežie 10, 811 02 Bratislava, Company ID No.: 47 238 623, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sro, Insert No.: 81210/B; (iv) KPMG Valuation s.r.o., with its registered office at Dvořákovo nábrežie 10, 811 02 Bratislava, Company ID No.: 44 744 820, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sro, Insert No.: 58279/B.

The exact role of each company (controller vs. joint controller) is explained in relation to each specific purpose in Section 2 below. In some cases, we also act as processors on behalf of our clients, where processing is carried out in their name; see more in Section 2 below. To contact us, please use the postal addresses provided above or the following email address for general inquiries: kpmg@kpmg.sk.

All the above-mentioned KPMG entities have appointed and share the same internal Data Protection Officer (hereinafter referred to as the “DPO”). The DPO serves as the contact point for all requests and questions related to data subjects. Contact details of the DPO:

Data Protection Officer of KPMG
KPMG Slovensko Advisory, k.s.
Dvořákovo nábrežie 10, 811 02 Bratislava
privacy@kpmg.sk

When the KPMG entities act as joint controllers, they do so on the basis of a Joint Controller Agreement concluded pursuant to Article 26 of the GDPR. This agreement is internally available to all employees via the intranet, and its essence is as follows:

The joint controllers are obliged to:

process personal data for the same purpose, which is specified in these General Information;
not make any unilateral decisions on other or additional purposes of joint processing without the consent of the other joint controllers;
carry out all processing within the same information system, which is accessible to designated employees selected by the joint controllers;
fulfil the information and transparency obligations under Articles 12, 13, and 14 of the GDPR on the basis of these Global Privacy Principles, which are internally managed and updated by KPMG Slovensko Advisory, k.s. as the joint controller designated for fulfilling such information and transparency obligations;
use the contact details of KPMG Slovensko Advisory, k.s. provided in these General Information as the common contact details of the DPO, designated as the common contact point for all joint controllers referred to in these General Information, without prejudice to the right of data subjects to address their requests to any of the joint controllers individually;
use the same internal DPO appointed by KPMG Slovensko Advisory, k.s. for handling all data subject requests;
adopt uniform organisational and security measures for the joint processing of personal data;
bear joint and several liability for any damage or infringements caused by the joint controllers to data subjects or third parties;
determine the exact scope of processing by issuing common instructions to their designated employees pursuant to Article 29 of the GDPR;
fully comply with other internal regulations and procedures adopted within KPMG.

Further information regarding our role in the processing of personal data can be found in this document, which is updated on an ongoing basis.

2. Overview of Processing (Purposes of Processing and Legal Bases)

This table provides a basic overview of the purposes for which personal data are processed within KPMG, as well as an overview of the legal bases on which we rely:

Purpose of processing	Legal Basis
1. Provision of services	Performance of a contract, legitimate interest, and compliance with legal obligations
2. Employment-related purposes	Performance of a contract, legitimate interest, compliance with legal obligations, and consent
3. Security of IT systems and personal data	Compliance with legal obligations and legitimate interest
4. Legal and contractual purposes	Legitimate interest, compliance with legal obligations and performance of a contract
5. Compliance with various legal obligations	Compliance with legal obligations
6. Protection of property and ensuring security	Legitimate interest
7. Direct marketing and PR purposes	Legitimate interest and consent
8. Statistical purposes	Legal bases of other compatible purposes (see above) based on recital no. 50 and Article 89 of the GDPR and legitimate interest

Simple Explanation of Each Processing Purpose:

Provision of Services

This purpose primarily covers our main business and commercial activities related to the provision of various advisory and other services. In such cases, the processing of personal data is an essential part of delivering audit, tax, transaction (M&A), legal, consulting, and HR services, as well as information society services and related support and digitalisation activities.

The specific service provided depends primarily on the respective KPMG entity and its specific business authorisation. In certain service delivery models, we may act as a data processor on behalf of our clients, who retain the role of data controller (see more detailed descriptions of processing purposes below).

Employment-related purposes

This purpose is pursued within various employment relationships, primarily in our capacity as employer towards our employees and their family members, job applicants, and former employees.

It includes fulfilling statutory obligations of the employer (e.g. payroll, taxes, health and safety), recruitment, human resource management and development, provision of benefits, internal and external PR communication, data sharing within the KPMG network, promotion of diversity and inclusion, implementation of employer control mechanisms, and, in times of extraordinary circumstances, also measures to protect public health.

For further details on employment-related processing and HR matters, please refer to the specific document dedicated to employees and job applicants.

IT Systems and Data Security

Processing of personal data is essential for monitoring users and devices (including SIEM, DLP, logs, and network traffic) and for assessing and handling security incidents (including personal data breaches).
We document incidents, collect forensic evidence of unlawful conduct, and report personal data breaches to the competent supervisory authorities.
We create operational and backup copies, encrypt them, and use them for recovery after incidents. All these activities necessarily involve the processing of personal data of users of our ICT assets.

Legal and Contractual Purposes

To exercise legal claims and defend our interests, we process personal data during contract preparation, litigation, administrative proceedings, debt recovery, and evidence collection.
Within corporate governance, we record data on shareholders and managing directors, prepare documents for the Commercial Register, and ensure compliance with legal regulations, including contractual matters and audits.
As our group also includes a law firm, this purpose comprehensively covers its activities as well, in accordance with the approved Code of Conduct for the Processing of Personal Data by Lawyers.

Compliance with Legal Obligations

This purpose covers all situations in which we must process personal data of various data subjects to fulfil our legal obligations under applicable general and sector-specific laws.
It therefore includes compliance with legislation, particularly in the fields of auditing, taxation, labour law, and data protection.

Typical processing involves recording and retaining accounting documents and invoices, fulfilling tax obligations, identifying and verifying persons within the AML agenda, detecting unusual transactions, and screening partners against sanctions lists.

GDPR compliance includes handling data subject requests, managing consents, and notifying data breaches.

Whistleblowing includes receiving and assessing reports of misconduct and ensuring the protection of whistleblowers.

Protection of Property and Security

For this purpose, we control access and movement within our premises, including through electronic entry means and surveillance camera systems.

Direct Marketing and PR Purposes

Within marketing activities, we process your personal data for targeted advertising, which includes personalised content display on websites and direct marketing outreach via various communication channels, including social media.

We also use marketing analytics to assess website traffic and campaign effectiveness through various analytical tools, provided that you have consented to the use of cookies.

This purpose allows us to use personal data to carry out our internal and external marketing and PR communications, including the promotion of achievements and activities of KPMG employees and companies.

Statistical Purposes

These purposes generally allow us to use any lawfully processed personal data we have already collected to produce aggregated and anonymised statistics.

Such data are used to monitor various indicators and KPIs important for strategy, business, and management within the KPMG group.

The outputs of this processing typically include various statistical summaries, analyses, and reports for internal management and external reporting within the wider KPMG network.

We fulfil our information obligations through a layered approach. Therefore, a detailed explanation of each processing purpose at the level of processing activities, as well as a more detailed description of our role in the processing of personal data for each purpose, can be found in this document, which we update on an ongoing basis.

3. Compatible Processing Purposes

In certain cases, we may collect your personal data for a specific purpose listed here, but later it may become necessary to process the same data for additional purposes that we could not have anticipated at the time of collection. If we do not have your consent for the new purpose or the processing is not required by law, we may proceed only if these additional purposes are compatible with the original purposes.

Below, we provide standard situations that frequently arise in practice and which have passed the compatibility test under Article 6(4) GDPR.

Compatible purposes of processing	Original purposes of processing	Explanation
Legal and contractual purposes	In principle, any of the purposes of processing listed here	It cannot be ruled out that legal disputes, proceedings, and the need for evidence in them may arise on the basis of and may relate to any personal data originally processed for any other purpose.
Compliance with various legal obligations	Provision of services	In fulfilling various legal obligations (as explained in more detail above), we must necessarily report or process personal data that we have obtained in the course of providing services.
Development, security of IT systems and personal data	In principle, any of the purposes of processing listed here	The processing of personal data in electronic form takes place for all the purposes of processing listed here within the same IT environment. The need to ensure an adequate level of security objectively requires working with all purposes as original.
Direct marketing and PR purposes	Provision of services and fulfillment of various legal obligations	Tailoring our services to existing clients necessarily requires working with the context of the client, their contact details, and their use of our services, where we have obtained this underlying data in the course of providing financial services and ensuring compliance with legal regulations.
Statistical purposes	In principle, any of the purposes of processing listed here	For these purposes, Recital 50 of the GDPR and Article 89 of the GDPR directly recognize that these are automatically compatible purposes of processing, or that this fact arises from the nature of the purposes, which do not make sense without the underlying information.
Archiving in the public interest	In principle, any of the purposes of processing listed here

4. Legal Bases

In the overview of processing above, we specify for each purpose the legal basis on which we rely to process personal data. In general, we can only rely on the legal bases listed in Article 6(1) GDPR. The main legal bases we rely on are as follows:

Your Consent: Occasionally, we may request your consent to process your personal data in accordance with Article 6(1)(a) GDPR. You can withdraw your consent at any time by contacting KPMG at privacy@kpmg.sk or through available technical means (e.g., on our website or via cookie banners).

The standard validity of a consent is 1 year. However, if a more specific duration is indicated in the consent itself, in a privacy notice, or in these General Information, the more specific duration prevails.

Please note that withdrawing consent does not affect the lawfulness of prior processing. For direct marketing, withdrawal of consent and objection to marketing have the same effect. Withdrawal of consent must always be as easy as giving it.
Performance of a Contract: This applies when processing your personal data is necessary to fulfil our obligations arising from a contract with you, including pre-contractual arrangements at your request, as allowed by Article 6(1)(b) GDPR.
Legal Obligation: This applies when we are required to process your personal data to comply with a legal obligation (e.g., labour law, employment law, accounting, tax administration, or providing information to a public authority or law enforcement).
A legal provision may not always explicitly specify which data must be processed, but where a legal obligation exists, necessary processing of personal data to comply with that obligation is based on Article 6(1)(c) GDPR.
Legitimate Interest: We may process information about you if it is in our legitimate interest in performing a lawful activity, provided that your rights and interests do not override this interest. Specific legitimate interests are explained in Sections 1–13 above.

The specific legal basis on which we rely for a particular processing purpose or specific activity can be found in this document.

5. What legitimate interests do we pursue?

We use legitimate interest as a legal basis for almost every processing purpose. This may involve our own legitimate interest or the legitimate interest of a third party (e.g., a client). In this document, we indicate all processing operations or activities that we carry out on the legal basis of legitimate interest under Article 6(1)(f) GDPR by underlining them. Below, we provide an overview of the legitimate interests pursued.

Purpose of processing		Legitimate interests pursued
1. Provision of services	• Participation in elections for the Chamber of Auditors. • Provision of non-audit services to entities of public interest or special significance. • Provision of tax advice to legal entities (including advice on mergers and acquisitions, corporate income tax, VAT, Remote Working Mobility checks, and assistance with tax audits). • All activities described in more detail in the so-called table of purposes. • Concluding contractual relationships with clients (legal entities), including pre-contractual relationships. • Representing clients before courts, public authorities, and other legal entities; defense in criminal proceedings. • Providing legal advice. • Drafting documents on legal acts, preparing legal analyses. • Management of clients' assets and other forms of legal advice and assistance. • Communication with clients and other individuals regarding the performance of professional or contractual relationships. • Searching for evidence in favor of the client. • Legal advice within the scope of the function of the responsible person under the GDPR. • Provision of non-legal services by a law firm. • Internal administrative activities supporting the provision of legal and other services. • Provision of consulting services in the area of strategic business management. • Provision of services in the field of human resources management. • Organization of professional development training through the KPMG Business Institute. • Organization of educational webinars and professional conferences.
2. Employment related purposes	• Verification of integrity for successful job applicants • Identification of personality traits and suitable characteristics when filling specific management positions. • Use of LinkedIn services to search for suitable job applicants. • Processing data in SAP SuccessFactors and other HR systems. • Exit process from employment (except exit interviews). • Tools for internal communication and collaboration. • Human resources development and evaluation. • Provision of benefits. • Implementation of internal PR communication with KPMG employees. • Implementation of external PR communication with KPMG employees. • Sharing of employee data for internal administrative purposes within the KPMG group. • Promotion of diversity and inclusion within KPMG Slovakia's human resources. • Employer control mechanisms. • Compliance with necessary measures to protect public health in the workplace.
3. Security of IT systems and personal data	· Monitoring users and devices. · Analyzing and evaluating all reports and suspicious events. · Analyzing and correlating vulnerabilities. · Activities of the global KPMG SOC center. · IT communication with the global SOC. · Incident reporting within the KPMG group. · Establishment and operation of an internal Incident Response Team. · Remote data deletion. · Control of information collection upon termination of cooperation. · Audits, supplier verification, and penetration testing. · Software development, improvement, and testing · IT support and administration of internal IT systems, networks, and applications during their operation. · Use of data obtained by monitoring users and devices for compatible purposes
4. Legal and contractual purposes	• Proving, enforcing, and defending legal claims (legal agenda). • Debt collection. • Litigation, proceedings, and inquiries. • Contractual agenda (in relation to contractual partners who are legal entities). • Due diligence and sale of companies (corporate agenda). • Electronic communication with public authorities (E-Government). • Internal quality and risk management.
5. Compliance with various legal obligations	• Evaluation of politically exposed persons and sanctions lists (AML). • Submitting notifications, cooperation requests, or inquiries to public authorities (AML). • Obtaining personal data by copying, scanning, or otherwise recording official documents on an information carrier, including birth numbers and other data (AML). • Validation of consents already granted (GDPR).
6. Protection of property and ensuring security	• Protection of property, health, and safety within the framework of camera security systems and registration of entries into our premises.
7. Direct marketing and PR purposes	• Targeted addressing and contacting of existing clients with offers of similar goods and services (electronic communication). • Raising awareness and reputation (PR activities) through social media profiles. • Creation and adaptation of marketing messages based on profiling and marketing tools. • Marketing analysis of websites and fan pages.
8. Statistical purposes	• Creation of aggregated anonymous statistical data from the processing of personal data.

The predominance of these legitimate interests over the rights and freedoms of data subjects has been assessed by us in general terms with a positive outcome. As a data subject, you do have the right to object to this processing; however, Article 21(1) GDPR specifies that this objection must be “for reasons related to your particular situation.” This means that your objection should be justified by your specific circumstances in order to be successful. This does not apply to direct marketing purposes, where an objection means that we must stop processing for these purposes.

6. Collection and Use of Personal Data

In general, we collect personal data about you if you choose to provide it—for example, to contact you by email or to register for certain services. In these cases, providing personal data is strictly voluntary and is not required by law. If you do not provide the data, we may not be able to contact you, send you communications, or allow you to use certain services. In some cases, you may have previously provided your personal data to KPMG (for example, if you are a former employee). If you have signed a contract with KPMG, providing personal data may be a contractual requirement, and KPMG may be legally obliged to collect such information. There may also be a legal requirement to provide information regardless of whether a contract has been signed. Failure to provide information may result in a breach of contract or the inability to fulfill contractual or legal obligations.

If you choose to register or log in to a KPMG website using a third-party single sign-on service that verifies your identity and links your social media login credentials (e.g., LinkedIn, Google, or X (formerly Twitter)) with KPMG, we will collect all information or content necessary for registration or login that you have allowed the social media provider to share with us, such as your name and email address. Additional information we collect may depend on the privacy settings you have configured with the social media provider, so please read the privacy statement or policies of the respective service.

By registering and/or providing personal data to KPMG, you acknowledge that KPMG may use this information in accordance with these general privacy principles. Your personal data will not be used for other purposes unless we obtain your consent or unless required or permitted by law or professional standards. For example, if you register on a KPMG website and provide information about your preferences, we will use this information to customize your user experience. If you register or log in via a third-party single sign-on, we may also recognize you as the same user across different devices you use and customize your experience on other KPMG sites you visit.

If you send us an email requesting information about KPMG, we will use your email address and any other information you provide to respond to your request. If you submit a resume or curriculum vitae (CV) to apply for a position at KPMG online, we will use the information you provide to match you with available job opportunities. If you are an unsuccessful applicant or leave KPMG as an employee, we may retain and process your data for 1 year if you provide your consent.

In some cases, when you register for certain services, we may temporarily store your email address until we receive confirmation of the information you provided via email (e.g., when we send a confirmation email to verify a subscription request).

KPMG collects “sensitive” personal data only if you voluntarily provide it or if collection is required or permitted by law or professional standards. Sensitive information includes personal data relating to race, ethnic origin, political opinions, trade union membership, religious or similar beliefs, physical or mental health, sexual life, or criminal record. When providing sensitive information to KPMG, do so at your discretion and never provide sensitive information unless you give KPMG consent to use this information for its legitimate business purposes and agree to the transfer and storage of such information in KPMG databases. If you have any questions about whether providing sensitive information to KPMG is necessary or appropriate for specific purposes, please contact KPMG at privacy@kpmg.sk

7. Cookies and Similar Tools

For more information on how we use cookies, online tracking tools, and similar technologies, please refer to our “Cookies Policy.”

8. Your Rights as a Data Subject

If you have provided personal data to KPMG, you have the following rights:

Access and rectification: You have the right to reasonable access to the personal data we process about you. Access primarily means being informed whether we are processing your personal data, providing specific information about how we process it (Art. 15(1) GDPR), as well as providing copies of the processed personal data (Art. 15(3) GDPR). Before providing personal data, we may ask you to prove your identity and provide sufficient information about your interactions with us so that we can locate your personal data. If the information we process about you is incorrect or incomplete, you can request that we correct or complete your personal data.
You also have the right to request the deletion of your personal data and the right to restrict the processing of your personal data. However, these rights are not absolute. We recommend familiarizing yourself with Articles 17 and 18 GDPR, which set out the specific conditions for exercising these rights.
You can withdraw your consent at any time by contacting KPMG at privacy@kpmg.sk or via available technical means (e.g., on the website or through a cookie banner).
You also have the right not to be subject to automated individual decision-making without meeting additional conditions under Art. 22 GDPR. These conditions include, among other things, the right to human intervention.
You also have the right to data portability if Art. 20 GDPR applies.
You have the right for us to fulfill our notification obligations toward you under Art. 19 GDPR in connection with the correction, deletion, or restriction of processing of your personal data.

We expressly draw your attention to your right to object:

General: You have the right to object at any time to any processing of your personal data based on legitimate interest, including profiling based on this legal basis.
Direct Marketing: If we process your personal data for direct marketing purposes, you have the right to object at any time to such processing for direct marketing purposes, including marketing profiling. Such an objection has the same effect as withdrawing consent, and upon receiving such objection, we must stop using your data for these purposes.

Please note that most of the rights mentioned are not absolute and require meeting additional conditions. We may ask you for further information to verify whether these conditions are met, properly assess the scope of your request, or confirm your identity. Failure to provide the requested additional information may delay our response or result in not providing the requested information.

You can also request or exercise these rights regarding updating or deleting your information by contacting KPMG at privacy@kpmg.sk, and we will make all reasonable and practical efforts to comply with your request, provided it is in accordance with applicable laws and professional standards.

9. Recipients and Cross-Border Transfer of Personal Data

We do not provide personal data to third parties unconnected to us, except when necessary for our legitimate professional and business purposes, to fulfill your requests, and/or when required or permitted by law or professional standards. This includes:

Our Service Providers: KPMG collaborates with reputable partners, service providers, or agencies to process your personal data on our behalf. KPMG will provide personal data to them only if they meet our strict standards regarding data processing and security. We provide personal data to them solely so that they can deliver their services, based on and within the scope of a pre-agreed data processing agreement under Art. 28(3) GDPR. This group of recipients of your personal data acts as processors and primarily includes cloud service providers, information society service providers, web hosting service providers, online advertising service providers, statistical and analytical service providers, social media service providers enabling targeted advertising to representatives of our clients, visitors to our websites, or segmented social media users, as well as providers of security services and cybersecurity tools, among others.
Other categories of recipients of your personal data who obtain and process it as controllers for their own purposes: In the case of our employees, this may include, in particular, the Social Insurance Agency, health insurance companies, pension fund management companies, providers of systems offering various benefits, other KPMG group companies, other parties to a business transaction and their legal representatives and advisors in the event that our company or part of it is involved in a sale, notaries, lawyers, bailiffs, experts, sworn translators, external auditors, the National Agency for Network and Electronic Services (NASES) when using our e-box, and professional chambers.

In the case of our clients and their representatives and employees, we may provide their personal data primarily to other parties to a business transaction and their legal representatives and professional advisors, the National Agency for Network and Electronic Services (NASES) when using our e-box, other parties involved in legal proceedings and process-participating persons in case of assuming legal representation, business partners of our clients, statutory representatives of the client, and persons acting on behalf of the client; as well as the ultimate beneficiaries of client benefits (within the framework of AML procedures).
So-called third parties who, under GDPR, do not have the status of recipients of personal data: This mainly refers to law enforcement authorities, courts, and other state authorities that may obtain your personal data for their own purposes when exercising their powers, controls, or state supervision. We are not obliged to inform you about these entities under GDPR. However, we assure you that any request from a public authority for personal data is thoroughly legally assessed and verified, and KPMG will comply only to the legally required extent in fulfilling our statutory obligations, while ensuring compliance with the fundamental principles of personal data processing under Art. 5(1) GDPR, established case law of the Court of Justice of the EU, and the protection of the fundamental rights of the data subject under the Charter of Fundamental Rights of the EU and the Constitution of the Slovak Republic.
KPMG will not comply with any unlawful, unjustified, or excessive requests for the provision of personal data and other information protected by specific statutory confidentiality obligations from public authorities or any other third parties and will take all available legal measures and steps necessary to protect the data subject’s right to personal data protection and to maintain KPMG’s confidentiality and professional discretion.

In addition, KPMG may transfer certain personal data across geographic borders to other KPMG member firms or to external companies that work with us or on our behalf. KPMG may also store personal data in a jurisdiction different from the one in which you are located. By providing personal data online, visitors agree to this cross-border transfer and/or storage of their personal data. In this context, cross-border transfers mainly occur to Canada and the USA, although transfers to other KPMG entities worldwide cannot be excluded.

For transfers to our U.S. sister KPMG companies, cross-border transfers to a third country ensuring an adequate level of personal data protection will take place also based on their certification under the EU - US Data Privacy Framework, which is subject to the relevant European Commission adequacy decision. This allows, to a limited extent, “intragroup” cross-border transfers to the USA under Art. 45 GDPR without the need to conclude Standard Contractual Clauses (SCCs) or implement additional measures.

The same applies to our intragroup transfers to the United Kingdom, which can be carried out under the relevant European Commission decision, as well as transfers to Canada, which can also be carried out based on the European Commission’s adequacy decision.

If we were to transfer your personal data to other foreign KPMG network entities located outside the European Union and the European Economic Area (EU/EEA), their protection would always be ensured through the use of Standard Contractual Clauses (SCCs) approved by the European Commission. Where necessary, and to ensure an adequate level of protection, these clauses may be supplemented with additional measures based on our assessment of the risks of the specific cross-border transfer of personal data.

Of course, KPMG also provides your personal data to its employees, who are bound by confidentiality, appropriate instructions, and KPMG internal policies supporting privacy and personal data protection, always only to the extent necessary for the performance of their job functions.

In addition, KPMG may transfer certain personal data outside the EEA to external companies that cooperate with us or act on our behalf, for the purposes described in this General Information. KPMG may also store personal data outside the EEA. These cross-border transfers are carried out strictly in accordance with the law and only when sufficient measures to mitigate risks and safeguards to protect the fundamental rights and freedoms of data subjects have been adopted, as required by the Court of Justice in Case C-311/18 (Schrems II).

Supplier / Third Party

Appropriate safeguards and complementary measures for cross-border transfers to third countries

Adobe Systems, Inc., located at 345 Park Avenue San Jose, CA 95110-2704, United States of America (USA)

DPA Agreement with Incorporated Standard Contractual Clauses

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

Bitsight Technologies, Inc., located at 111 Huntington Ave., 19th Floor Boston, MA 02199, United States of America (USA)

DSA Agreement with Incorporated EU SCCs

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

Cloudflare, Inc., located at 101 Townsend Street, San Francisco, CA 94107, United States (USA)

Cloudflare Privacy Policy

DPA agreement with incorporated standard contractual clauses

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

Google LLC, located at 1600 Amphitheatre Pkwy Mountain View, CA 94043, United States (USA)

Google Privacy Policy

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

New type of standard contractual clauses approved by the relevant European Commission decision (Module 1 and Module 2) and relevant additional measures with further explanation of the settings.

Meta Platforms, Inc., located at 1601 Willow Rd Menlo Park, CA 94025, United States (USA)

Facebook Privacy Policy, Instagram Privacy Policy

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

- EU SCCs - available here

Microsoft Corporation, located at Redmond, Washington 98052-6399, United States (USA)

Microsoft Privacy Statement

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

EU SCCs - available here: https://docs.microsoft.com/en-us/microsoft-365/compliance/offerings-eu-model-clauses?view=o365-worldwide

https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

LinkedIn Corporation, located at 1000 W Maude Ave Sunnyvale, CA 94085, United States (USA)

LinkedIn Privacy Policy

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

The new type of standard contractual clauses approved by the relevant European Commission decision (Module 2) is used, which also describes other measures taken.

Introhive, Inc., located at 330 N Wabash Ave, Suite 24, Chicago, Illinois 60654 United States (USA) / Introhive Services, Inc., located at 364 Argyle St, 3rd Floor, Fredericton, NB E3B 1T9, Canada.

Introhive Privacy Policy

Commission adequacy decision for Canada

The new type of standard contractual clauses approved by the relevant European Commission decision (Module 2) is used, which also describes other measures taken and additional measures.

SuccessFactors Inc., (now part of SAP SuccessFactors), located at 1 Tower Place, Suite 1100, South San Francisco, CA 94080, United States (USA).

SAP Privacy Statement

EU SCCs incorporated into the DPA agreement

Certification in the Data Privacy Framework covered by this European Commission adequacy decision pursuant to Article 45 of the GDPR

FAQs for Transfer Impact Assessments

KPMG does not sell your personal data to any third parties.

10. General Retention Periods for Personal Data

We retain personal data only for as long as necessary for the purposes for which the personal data are processed. In general, the retention period is determined by legal requirements. If no specific legal retention period applies, we determine the retention period of your personal data in relation to the specific purpose through our internal group policies and/or our records management plan. If we process your personal data based on your consent, once the consent is withdrawn, we are obliged to stop processing your personal data for that purpose. However, this does not prevent us from continuing to process your personal data on another legal basis, particularly if it is necessary to comply with legal obligations. The general retention periods for personal data for the purposes defined by us are as follows:

Purpose of personal data processing	General period of retention of personal data
Provision of services	At least 10 years from the termination of the provision of services or earlier if the objection of the data subject to the processing of their personal data on the legal basis of legitimate interest is accepted, if the legal basis for the processing was legitimate interest.
Employment related purposes	During the term of employment, we may subsequently store selected personal data for a longer period until the expiry of the relevant statutory periods for documents and data included in the employee's personal file, typically ranging from 10 years after the termination of employment to 70 years after the employee's birth. If the legal basis is legitimate interest, personal data may be processed until an objection to the processing is resolved, if in a specific case the rights and freedoms of the data subject prevail during the term of their employment.
IT system and personal data security	A maximum of 1 year, unless further processed for compatible legal and contractual purposes in individual cases. Unnecessary data may be deleted earlier, in the event of an objection being upheld, where the rights and freedoms of the data subject prevail over the legitimate interest pursued by KPMG.
Legal and contractual purposes	Legal agenda, contractual agenda, e-government: During the duration of a legal dispute or out-of-court settlement until the final and binding conclusion of the legal matter associated with the exhaustion or waiver of available remedies, or until the legal claim is satisfied (e.g. as a result of the fulfillment of an obligation) or the right is exercised (e.g., by filing a lawsuit within the time limit) or until the right (e.g., due to preclusion) or legal claim (e.g., as a result of the statute of limitations on the right or legal claim) expires. Possibly earlier in the case of a justified objection to a legitimate interest. Contractual agenda: Until the end of the contract and the expiry of the protective retention period, usually 3 years after the end of the contract. The data may also be deleted earlier if a legitimate objection to a legitimate interest is upheld. Internal quality and risk management: Until the project and all client deliverables have been completed and duly handed over / Until the relevant assessment period has been duly completed and evaluated in accordance with KPMG's internal regulations. Internal administrative purposes: For the duration of internal cooperation within the KPMG group of companies and the validity of related intragroup agreements between the companies involved. Unnecessary data is deleted at least once a year
Compliance with various legal obligations	Accounting agenda: 10 years following the year of creation of the accounting document containing your personal data.
Protection of property and ensuring security	For camera systems, a maximum of 7 days from the creation of the recording and otherwise a maximum of 1 year. Personal data may also be deleted earlier on the basis of the acceptance and handling of an objection if the objections of the data subject in a specific case, taking into account the individual circumstances, sufficiently justify the overriding of the rights and freedoms of the data subject.
Direct marketing and PR purposes	Until the withdrawal of consent or the expiry of its validity (if it was time-limited) in cases where consent was the legal basis for the processing of personal data. If the legal basis was a legitimate interest, then up to a maximum of the handling of an objection to direct marketing. In other cases, for a maximum of 2 years.
Statistical purposes	During the above-mentioned retention periods for other purposes. Unnecessary data is deleted on an ongoing basis after statistical outputs have been compiled, unless we use the service provider's automatic settings. In such cases, we store data processed within "Google Analytics" for a maximum of 26 months and data processed within "Facebook Page Insights" for a maximum of 90 days. Data may also be deleted earlier in the event of an objection by the data subject.

11. Data Security and Integrity

KPMG has implemented appropriate security policies and procedures to protect personal data against unauthorized loss, misuse, alteration, or destruction. Despite KPMG’s best efforts, it is not possible to guarantee absolute security against all threats. To the extent possible, access to your personal data is limited to individuals who need to know it. Those who have access to the data are required to maintain the confidentiality of this information. We also make reasonable efforts to retain personal data only as long as necessary to fulfill an individual’s request or until the individual requests deletion of the data. More detailed information on the retention policies for specific personal data provided can be found in the relevant data protection notes below.

12. Automated Individual Decision-Making with Legal Effects on Data Subjects

KPMG does not currently engage in fully automated individual decision-making with legal effects on any data subjects within the meaning of Article 22 GDPR.

13. Changes to This Information

KPMG monitors and regularly updates this General Information to reflect our current data protection practices. If we consider a change to be significant, we will notify the affected individuals via email or another form of communication. Most changes are implemented by updating specific informational documents with more detailed definitions. However, updating these documents is not considered a change to the General Information unless the purposes of processing and legal bases described here are altered. Our regular updates to both documents are generally not substantial. Therefore, we recommend that you review this General Information periodically to stay informed about how KPMG protects your data.

Right to Lodge a Complaint with the Supervisory Authority

You always have the right to lodge a complaint with the supervisory authority overseeing our activities. Generally, this is the Office for Personal Data Protection of the Slovak Republic. In matters related to direct marketing and cookies, this is the Regulatory Authority for Electronic Communications and Postal Services of the Slovak Republic.

Office for Personal Data Protection of the Slovak Republic
Námestie 1. mája 18
811 06 Bratislava
Slovak Republic
+ 421 2 32 31 32 14
+ 421 2 32 31 32 49
statny.dozor@pdp.gov.sk
www.dataprotection.gov.sk

Office for Regulation of Electronic Communications and Postal Services of the Slovak Republic
Továrenská 7
P.O.BOX 40
828 55 Bratislava 24
Slovak Republic
0908 880 099
e-podatelna@teleoff.gov.sk
www.teleoff.gov.sk

KPMG Group in Slovakia
Bratislava, November 2025

^{1 For example: Act No. 311/2001 Coll., Labor Code, as amended; Act No. 82/2005 Coll. on illegal work and illegal employment and on amendments to certain acts, as amended; Act No. 663/2007 Coll. on the minimum wage, as amended; Act No. 2/1991 Coll. on collective bargaining, as amended; Act No. 5/2004 Coll. on employment services and on amendments and supplements to certain acts, as amended; Act No. 553/2003 Coll. on the remuneration of certain employees in the performance of work in the public interest and on amendments to certain acts, as amended; Act No. 552/2003 Coll. on the performance of work in the public interest, as amended; Government Regulation No. 341/2004 Coll. establishing catalogues of work activities in the performance of work in the public interest and on amendments and supplements thereto, as amended; Act No. 152/1994 Coll. on the social fund and on amendments and supplements to Act No. 286/1992 Coll. on income tax, as amended; Act No. 461/2003 Coll. on social insurance, as amended; Act No. 462/2003 Coll. on income compensation during temporary incapacity for work of an employee and on amendments to certain acts, as amended; Act No. 283/2002 Coll. on travel allowances, as amended; Act No. 55/2017 Coll. on civil service and on amendments to certain acts, as amended;

Act No. 365/2004 Coll. on equal treatment in certain areas and on protection against discrimination and on amendments to certain acts (Anti-Discrimination Act), as amended; Act No. 461/2007 Coll. on the use of recording equipment in road transport; Act No. 462/2007 Coll. on the organization of working time in transport and amending Act No. 125/2006 Coll. on labor inspection and amending Act No. 82/2005 Coll. on illegal work and illegal employment and amending and supplementing certain acts, as amended by Act No. 309/2007 Coll.; Act No. 650/2004 Coll. on supplementary pension savings and amending and supplementing certain acts, as amended; Act No. 54/2019 Coll. on the protection of whistleblowers and on amendments to certain acts; Regulation of the Government of the Slovak Republic No. 113/2017 Coll., establishing civil service departments; Government Regulation No. 114/2017 Coll. establishing civil service positions that may only be held by citizens of the Slovak Republic; Decree of the Government Office of the Slovak Republic No. 126/2017 Coll., establishing details on the training of civil servants; Decree of the Government Office of the Slovak Republic No. 127/2017 Coll., laying down details on selection procedures, as amended by Decree No. 507/2019 Coll.; Decree of the Government Office of the Slovak Republic No. 128/2017 Coll., laying down details on the scope of data provided to the register of selection procedures and other regulations.}